lokibot | 8eee5bc1ed923773f6e9af1b39ff27e6b9de5586dc2957dc7284c4c145bd543e

General

Target

e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe
Size

632KB
MD5

e9433fb6d9b9c922aae9b538e21fd1ce
SHA1

4c144946291926c79cd79df4b724bcc9085d385f
SHA256

8eee5bc1ed923773f6e9af1b39ff27e6b9de5586dc2957dc7284c4c145bd543e
SHA512

196e444a941940b9d79c8425a8c8386ba353adbb39b88d6d1738537cd1dc4b7547399b2c1ed905f847d5f7e9d60221e4ac1b6d435e3888acd43e39240322bbca
SSDEEP

12288:PON9i8AuXrQSY+VqgDU9hxgP88mH8zUNO4xRxhH3EVEqYPj2:PON9iLwwgIhxgPdm3NhxNEV8S

Score

10^/10

lokibot collection credential_access discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://majesticraft.com/ema/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4220 set thread context of 3352	4220	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	85

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4220	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe
4220	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4220	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe
Token: SeDebugPrivilege	3352	vbc.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 3240	4220	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	82
PID 4220 wrote to memory of 3240	4220	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	82
PID 4220 wrote to memory of 3240	4220	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	82
PID 3240 wrote to memory of 4276	3240	csc.exe	84
PID 3240 wrote to memory of 4276	3240	csc.exe	84
PID 3240 wrote to memory of 4276	3240	csc.exe	84
PID 4220 wrote to memory of 3352	4220	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	85
PID 4220 wrote to memory of 3352	4220	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	85
PID 4220 wrote to memory of 3352	4220	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	85
PID 4220 wrote to memory of 3352	4220	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	85
PID 4220 wrote to memory of 3352	4220	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	85
PID 4220 wrote to memory of 3352	4220	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	85
PID 4220 wrote to memory of 3352	4220	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	85
PID 4220 wrote to memory of 3352	4220	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	85
PID 4220 wrote to memory of 3352	4220	e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe	85

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9433fb6d9b9c922aae9b538e21fd1ce_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tv4j3hfk\tv4j3hfk.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D8F.tmp" "c:\Users\Admin\AppData\Local\Temp\tv4j3hfk\CSCC028F9FD99F44F298E18C16C915A11B.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4276
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6D8F.tmp

Filesize
1KB

MD5
773b5646f9c0e55a0edf6a4fb9f93750

SHA1
9dcfaf3b0d8ab7c774eec1c4acff8a00891a3a9f

SHA256
21f9cf8bad8b7f47f2e8bbe8f11e79029acb8cee88d408f574e6297ce0fe6bc3

SHA512
95ad3c84ca9da6b90a075292f036f1d9166213e967952b8ad7bc3838c9ef83e087acdec061833ca56d7507d5843096c91d25835b00c4916d47002b938309bb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tv4j3hfk\tv4j3hfk.dll

Filesize
20KB

MD5
3c4df925c5d8bd8f6d3d901414231594

SHA1
f24cbf3a5ec15b6d130c1138412d637ed20f8f74

SHA256
f9b0050fb711a6ce4a0fdae35833ac17ad9a3538280c800643a782f3aa786af1

SHA512
6e3c9a2222ce9e0b282f5612400564e061e24e8fd51fbf1e84e457b73e8f1d8776dadf7d9ff777c934a7e304a16e1262a325c4631fa7f7c0d6f8be74cc51f81a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tv4j3hfk\tv4j3hfk.pdb

Filesize
67KB

MD5
418d672e2a756b9f60643677e18f12a6

SHA1
7d3c66413d8169db720a60a9d4a3d864a537f74a

SHA256
e5d84d36250093359c8cdd79ee4815d0ed9066ecfd0f891d8c365706e5d8b692

SHA512
dfb58156b5cbcbde16b3531dd8b83459264a5f2b32b8dda7ad5371784fcb2cd9627b9b826a430406c0541e7afd41cc9fe17d8d09dc3464c1ccb0331e04bc0f61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2718105630-359604950-2820636825-1000\0f5007522459c86e95ffcc62f32308f1_32404286-a0b5-4a93-9620-6f13fd83251a

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2718105630-359604950-2820636825-1000\0f5007522459c86e95ffcc62f32308f1_32404286-a0b5-4a93-9620-6f13fd83251a

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tv4j3hfk\CSCC028F9FD99F44F298E18C16C915A11B.TMP

Filesize
1KB

MD5
92b1ea09288e1b159a8d696f5853879f

SHA1
95fcdc9c8679bb3cd74f482cd4d09974e42d12f2

SHA256
f27c7a71b503d1ef6c2cba532a7d93cb87abe1206c43dd88ac9e348195ffe350

SHA512
7c814afa03223f3dcbe2b592662ff607a975dfa08beff0e17d4a71451437517c08c95ebf70174d85e34dbc219ca9a22ffd270b2e5c7ff7d7c4aca6beb0e6bc0c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tv4j3hfk\tv4j3hfk.0.cs

Filesize
45KB

MD5
60c75a16554822c31d705d4b28fa3a2d

SHA1
72f4b55135063bfc7f116956bb3a3c79d03cb2ba

SHA256
b38b82c040dbeb3322b88780253e8d6b8cac5feb72d6805393c706319a6353ff

SHA512
fa35698b7a6ed0ed0a4dc6923dc5425af207b65930404d6fb623395d79ab3e85bffba453f4494a9e3e04f42ac8981b029fb3683b117ddd9de8a1d2237f5bd732

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tv4j3hfk\tv4j3hfk.cmdline

Filesize
312B

MD5
89a310824f1423272246796f8d84a02a

SHA1
bb25070bcc198ca98b46955f02e8c89f567e8dd6

SHA256
92186f1ca8169f469417d12ef0f802be73ffb909f86cab5652f01a59ec6f18b0

SHA512
cea28cac5309676aae6a9ce6df8c7700cc72fbd527111d67d25a75fad7ff48fbb7ee5c64b35a7ac4ff8ff3390572e1150839bf01b8b0e9b4320ef91e857a21be

Download Submit
memory/3352-24-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3352-25-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3352-73-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3352-28-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3352-27-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4220-21-0x0000000004ED0000-0x0000000004EDC000-memory.dmp

Filesize
48KB

Download
memory/4220-23-0x00000000053B0000-0x000000000544C000-memory.dmp

Filesize
624KB

Download
memory/4220-0-0x00000000752CE000-0x00000000752CF000-memory.dmp

Filesize
4KB

Download
memory/4220-22-0x0000000004EF0000-0x0000000004F92000-memory.dmp

Filesize
648KB

Download
memory/4220-17-0x0000000002730000-0x000000000273C000-memory.dmp

Filesize
48KB

Download
memory/4220-20-0x0000000004CB0000-0x0000000004CDA000-memory.dmp

Filesize
168KB

Download
memory/4220-29-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/4220-5-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/4220-1-0x0000000000240000-0x00000000002E6000-memory.dmp

Filesize
664KB

Download
memory/4220-19-0x0000000004CF0000-0x0000000004D82000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing